The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Typo3 | Typo3 | 4.5.0 (including) | 4.5.0 (including) |
| Typo3 | Typo3 | 4.5.1 (including) | 4.5.1 (including) |
| Typo3 | Typo3 | 4.5.2 (including) | 4.5.2 (including) |
| Typo3 | Typo3 | 4.5.3 (including) | 4.5.3 (including) |
| Typo3 | Typo3 | 4.5.4 (including) | 4.5.4 (including) |
| Typo3 | Typo3 | 4.5.5 (including) | 4.5.5 (including) |
| Typo3 | Typo3 | 4.5.6 (including) | 4.5.6 (including) |
| Typo3 | Typo3 | 4.5.7 (including) | 4.5.7 (including) |
| Typo3 | Typo3 | 4.5.8 (including) | 4.5.8 (including) |
| Typo3 | Typo3 | 4.5.9 (including) | 4.5.9 (including) |
| Typo3 | Typo3 | 4.5.10 (including) | 4.5.10 (including) |
| Typo3 | Typo3 | 4.5.11 (including) | 4.5.11 (including) |
| Typo3 | Typo3 | 4.5.12 (including) | 4.5.12 (including) |
| Typo3 | Typo3 | 4.5.13 (including) | 4.5.13 (including) |
| Typo3 | Typo3 | 4.5.14 (including) | 4.5.14 (including) |
| Typo3 | Typo3 | 4.5.15 (including) | 4.5.15 (including) |
| Typo3 | Typo3 | 4.5.16 (including) | 4.5.16 (including) |
| Typo3 | Typo3 | 4.5.17 (including) | 4.5.17 (including) |
| Typo3 | Typo3 | 4.5.18 (including) | 4.5.18 (including) |
| Typo3 | Typo3 | 4.5.19 (including) | 4.5.19 (including) |
| Typo3 | Typo3 | 4.5.20 (including) | 4.5.20 (including) |
| Typo3 | Typo3 | 4.5.21 (including) | 4.5.21 (including) |
| Typo3 | Typo3 | 4.5.22 (including) | 4.5.22 (including) |
| Typo3 | Typo3 | 4.5.23 (including) | 4.5.23 (including) |
| Typo3 | Typo3 | 4.5.24 (including) | 4.5.24 (including) |
| Typo3 | Typo3 | 4.5.25 (including) | 4.5.25 (including) |
| Typo3 | Typo3 | 4.5.26 (including) | 4.5.26 (including) |
| Typo3 | Typo3 | 4.5.27 (including) | 4.5.27 (including) |
| Typo3 | Typo3 | 4.5.28 (including) | 4.5.28 (including) |
| Typo3 | Typo3 | 4.5.29 (including) | 4.5.29 (including) |
| Typo3 | Typo3 | 4.5.30 (including) | 4.5.30 (including) |
| Typo3 | Typo3 | 4.5.31 (including) | 4.5.31 (including) |
| Typo3-src | Ubuntu | lucid | * |
| Typo3-src | Ubuntu | precise | * |
| Typo3-src | Ubuntu | quantal | * |
| Typo3-src | Ubuntu | raring | * |
| Typo3-src | Ubuntu | saucy | * |
| Typo3-src | Ubuntu | upstream | * |
References
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00028.html
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00083.html
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html
- http://seclists.org/oss-sec/2013/q4/473
- http://seclists.org/oss-sec/2013/q4/487
- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-004/
- http://www.debian.org/security/2014/dsa-2834
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00028.html
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00083.html
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00106.html
- http://seclists.org/oss-sec/2013/q4/473
- http://seclists.org/oss-sec/2013/q4/487
- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-004/
- http://www.debian.org/security/2014/dsa-2834